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SQTrust:  Social  and  QoS  Trust  Management 
and  Its  Application  to  Mission-Oriented 

Mobile  Groups 


Ing-Ray  Chen,  Fenye  Bao,  and  Jin-Hee  Cho 

Abstract— We  propose  to  combine  the  notion  of  social  trust  derived  from  social  networks  with  that  of 
quality-of-service  (QoS)  trust  derived  from  communication  networks  to  obtain  a  composite  trust 
metric  as  a  basis  for  evaluating  trust  of  mobile  nodes  in  mobile  ad  hoc  network  (MANET) 
environments.  We  develop  a  novel  model-based  approach  to  identify  the  best  protocol  setting  under 
which  peer-to-peer  subjective  trust  as  a  result  of  executing  our  distributed  trust  management  protocol 
is  accurate  with  respect  to  ground  truth  status  over  a  wide  range  of  operational  and  environment 
conditions  with  high  resiliency  to  malicious  attacks  and  misbehaving  nodes.  Furthermore,  using 
mission-oriented  mobile  groups  as  an  application,  we  identify  the  best  trust  formation  model  under 
which  the  application  performance  in  terms  of  the  system  reliability  of  mission-oriented  mobile  groups 
in  MANET  environments  is  maximized. 

Index  Terms —  trust  management,  mobile  ad  hoc  networks,  social  networks,  model-based 
evaluation,  hierarchical  modeling,  Stochastic  Petri  Nets,  reliability. 
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1  Introduction 

he  concept  of  "trust"  originally  derives  from  the 
social  sciences  and  is  defined  as  the  subjective  de¬ 
gree  of  a  belief  about  the  behaviors  of  a  particular  en¬ 
tity  [12].  Blaze  et  al.  [7]  first  introduced  the  term 
"Trust  Management"  and  identified  it  as  a  separate 
component  of  security  services  in  networks  and  clari¬ 
fied  that  "Trust  management  provides  a  unified  ap¬ 
proach  for  specifying  and  interpreting  security  poli¬ 
cies,  credentials,  and  relationships."  Trust  manage¬ 
ment  in  mobile  ad  hoc  networks  (MANETs)  is  needed 
when  participating  nodes,  without  any  previous  in¬ 
teractions,  desire  to  establish  a  network  with  an  ac¬ 
ceptable  level  of  trust  relationships  among  them,  for 
example,  for  coalition  operation  without  predefined 
trust.  Thus,  the  concept  of  trust  is  attractive  to  com¬ 
munication  and  network  protocol  designers  where 
trust  relationships  among  participating  nodes  are  crit¬ 
ical  to  building  collaborative  environments  to  achieve 
system  optimization.  Many  researchers  in  the  net¬ 
working  and  communication  field  have  defined  trust 
differently  such  as  "a  set  of  relations  in  protocol  run- 
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ning"  [14],  "a  belief  on  reliability,  dependability,  or 
security"  [24],  "a  belief  about  competence  or  honesty 
in  a  specific  context"  [3],  and  "reliability,  timeliness, 
and  integrity  of  message  delivery"  [25]. 

Trust  management  is  often  used  with  different 
purposes  in  diverse  decision  making  situations  such 
as  secure  routing  [5],  [16],  [31],  [34],  [37],  key  man¬ 
agement  [9],  [18],  authentication  [29],  access  control 
[i],  and  intrusion  detection  [2].  Further,  general  trust 
or  reputation  evaluation  schemes  have  also  been  pro¬ 
posed  with  a  variety  of  approaches  such  as  semirings 
[35],  graph/ random  theory  [6],  Markov  chain  [9],  etc. 
Trust  management  has  also  received  much  research 
attention  in  peer-to-peer  (P2P)  networks  (e.g.,  Eigen- 
Trust  [23],  PeerTrust  [38])  for  applications  like  file 
sharing,  electronic  commerce,  etc.  These  protocols  for 
P2P  networks  consider  both  direct  observation  and 
indirect  recommendation  in  trust  evaluation,  which  is 
similar  to  ours.  However,  these  protocols  obtain  rec¬ 
ommendations  either  from  just  acquaintance  peers  or 
from  all  peers.  This  hinders  their  applicability  to 
MANETs  because  of  rapidly  changing  topology  and 
connectivity  in  MANET  environments.  In  contrast, 
our  protocol  considers  1-hop  neighbors  as  trust  rec- 
ommenders  and  identifies  the  best  way  of  combining 
direct  observation  and  indirect  recommendation  to 
achieve  high  accuracy.  Moreover,  our  protocol  does 
not  require  pre-trust  information  or  the  existence  of  a 
centralized  trusted  authority.  The  process  of  propa¬ 
gating  and  aggregating  trust  is  essentially  an  infor¬ 
mation  diffusion  process  [19].  Traditional  information 
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diffusion  models  assume  that  trust  already  exists  to 
affect  information  diffusion,  and  do  not  consider  false 
recommendation  attacks  performed  by  malicious  enti¬ 
ties.  In  this  paper,  we  use  the  concept  of  information 
diffusion  to  build  trust  despite  the  presence  of  mali¬ 
cious  nodes  performing  false  recommendation  attacks 
to  break  the  trust  system. 

[10]  provides  a  survey  on  trust  management  in 
MANETs.  A  mobile  ad  hoc  group  in  MANET  envi¬ 
ronments  very  frequently  comprises  human  operators 
carrying  communication  devices.  Thus,  in  addition  to 
traditional  quality  of  service  (QoS)  trust  metrics  includ¬ 
ing  competence,  cooperativeness,  reliability,  and  task 
satisfaction,  one  must  also  consider  social  trust  metrics 
including  friendship,  honesty,  privacy,  similarity,  be¬ 
tweenness  centrality  and  social  ties  [13]  for  trust  man¬ 
agement.  Golbeck  [17]  suggested  the  use  of  social 
networks  as  a  bridge  to  build  trust  relationships 
among  entities.  Yu  et  al.  [39]  used  social  networks  to 
evaluate  trust  values  in  the  presence  of  Sybil  attacks. 
Standard  QoS  performance  metrics  such  as  control 
packet  overhead,  throughput,  goodput,  packet  drop¬ 
ping  rate  and  delay  have  been  used  to  evaluate  trust 
[16],  [31],  [37].  Dependability  QoS  metrics  such  as 
availability  [18],  convergence  time  to  reach  a  steady 
state  in  trustworthiness  for  all  participating  nodes  [6], 
percentage  of  malicious  nodes  [8],  and  fault  tolerance 
based  on  reputation  [26],  [27]  also  have  been  em¬ 
ployed.  The  use  of  a  "trust  level"  to  associate  with  a 
node  has  received  attention  recently,  considering  gen¬ 
eral  attributes  such  as  confidence  [40],  trust  level  [34], 
trustworthiness  [26],  and  opinion  [35]. 

Unlike  prior  work,  we  suggest  using  both  social 
and  QoS  trust  metrics  to  assess  the  trust  level  of  a 
node  in  a  mobile  group  consisting  of  entities  exhibit¬ 
ing  both  social  and  performance  and  dependability 
behaviors.  We  note  that  prior  works  such  as  [13],  [17], 
[41]  also  considered  social  trust  metrics  in  communi¬ 
cation  networks.  The  contribution  of  our  work  relative 
to  these  prior  works  is  that  we  not  only  identify  the 
best  way  for  each  trust  metric  selected  (either  QoS  or 
social)  to  take  in  direct  experiences  and  recommenda¬ 
tions  information  so  that  the  assessment  of  the  trust 
property  is  the  most  accurate  against  actual  status,  but 
also  consider  the  trust  formation  issue  of  forming  the 
overall  trust  out  of  individual  social  and  QoS  trust 
metrics  to  maximize  application  performance. 

This  paper  has  the  following  contributions:  First, 
we  develop  a  new  trust  management  protocol 
(SQTrust)  based  on  a  composite  social  and  QoS  trust 
metric,  with  the  goal  to  yield  peer-to-peer  subjective 
trust  evaluation .  Second,  we  propose  a  model-based 
evaluation  technique  for  validating  SQTrust  based  on 
the  concept  of  objective  trust  evaluation  which  utilizes 
knowledge  regarding  the  operational  and  environ¬ 
ment  conditions  to  yield  idealistic  trust  values  against 


which  subjective  trust  values  obtained  from  SQTrust 
are  compared  for  validation.  Our  analysis  methodolo¬ 
gy  hinges  on  the  use  of  a  Stochastic  Petri  Net  (SPN) 
mathematical  model  [36]  for  describing  the  "actual" 
dynamic  behaviors  of  nodes  in  MANETs  in  the  pres¬ 
ence  of  well-behaved,  uncooperative  and  malicious 
nodes.  With  this  methodology,  we  demonstrate  that 
SQTrust  is  capable  of  providing  accurate  trust  assess¬ 
ment  compared  with  global  knowledge  and  actual 
node  status.  Finally,  we  apply  SQTrust  to  a  mission- 
oriented  mobile  group  application  considering  the 
intrinsic  relationship  between  trust  and  reliability  for 
critical  mission  execution  by  a  mobile  group  and  iden¬ 
tify  the  best  trust  protocol  setting  to  maximize  appli¬ 
cation  performance. 

We  notice  that  in  subjective  logic  [20],  the  term 
"subjective"  represents  the  subjective  perception 
about  the  world  and  individual  opinions  about  the 
truth  of  propositions.  We  use  the  term  "subjective" 
with  a  similar  intention.  However,  in  subjective  logic, 
trust  consists  of  three  components  (belief,  disbelief, 
and  uncertainty)  while  it  is  a  single  real  value  in  our 
trust  protocol.  Subjective  trust  in  this  paper  represents 
trust  obtained  by  each  node  as  a  result  of  executing 
our  proposed  trust  protocol.  The  term  "subjective"  is 
used  to  refer  to  the  fact  that  a  trustor  node's  trust  to¬ 
wards  a  trustee  node  is  subjective  based  on  local 
knowledge  (including  both  direct  observations  and 
indirection  recommendations).  Objective  trust  repre¬ 
sents  ground  truth  status  of  a  trustee  node  derivable 
from  the  output  of  the  SPN  model  which  faithfully 
describes  actual  status  of  nodes  in  the  system. 

The  rest  of  the  paper  is  organized  as  follows.  Sec¬ 
tion  2  describes  the  system  model  and  assumptions. 
Section  3  explains  SQTrust  executed  by  each  node  to 
perform  peer-to-peer  subjective  trust  evaluation.  Sec¬ 
tion  4  develops  a  performance  model  to  describe  dy¬ 
namic  behaviors  of  nodes  in  MANETs  in  the  presence 
of  misbehaving  nodes  with  the  objective  to  validate 
subjective  trust  evaluation  with  objective  trust  evalua¬ 
tion.  Section  5  presents  quantitative  results  obtained 
with  physical  interpretations  given.  Section  5  also  ex¬ 
amines  the  effect  of  trust  management  on  the  reliabil¬ 
ity  of  mission-oriented  mobile  groups  with  an  applica¬ 
tion  scenario  involving  a  commander  node  dynami¬ 
cally  selecting  a  number  of  nodes  it  trusts  most  for 
mission  execution  to  demonstrate  the  applicability  of 
SQTrust.  Section  6  presents  simulation  results  for 
simulation  validation.  Finally,  Section  7  summarizes 
the  paper  and  outlines  future  research  areas. 

2  System  Model 

A.  Operational  Profile 

We  follow  the  notion  of  " operational  profiles"  in  soft¬ 
ware  reliability  engineering  [28]  as  input  to  specify  the 


anticipated  operational  and  environment  conditions. 
Specifically,  a  system's  operational  profile  provides 
knowledge  regarding  (a)  environment  hostility,  i.e., 
how  often  nodes  are  compromised;  (b)  node  mobility, 
i.e.,  how  often  nodes  meet  and  how  they  interact  with 
each  other;  (c)  node  behavior,  i.e.,  how  nodes  will  be¬ 
have  based  on  node  status  including  good  behaviors 
by  good  nodes  and  bad  behaviors  by  bad  nodes;  (d) 
environment  resources,  i.e.,  the  initial  energy  each 
node  has  and  how  fast  energy  is  consumed  by  good  or 
bad  nodes;  and  (e)  system  failure  definitions  including 
both  operational  and  security  failure  conditions.  Later 
in  Section  5,  we  will  exemplify  the  input  operational 
profile  for  a  mobile  group  application  in  MANET  en¬ 
vironments.  An  operating  profile  does  not  represent  a 
controlled  setting.  For  example,  hostility  and  node 
behavior  as  part  of  the  operational  profile  merely 
specify  per-node  compromise  rate  and  energy  con- 
sumption/cooperativeness  behavior  but  do  not  tell  us 
which  nodes  are  compromised  and/or  uncooperative 
over  time.  In  response  to  operational  or  environment 
changes  (e.g.,  change  of  hostility),  the  system  using 
the  results  obtained  in  the  paper  can  adaptively  adjust 
trust  settings  to  optimize  application  performance. 

B.  Problem  Definition  and  Desirable  Output 

SQTrust  is  distributed  in  nature  and  is  run  by  each 
mobile  node  to  subjectively  yet  informatively  assess 
the  trust  levels  of  other  mobile  nodes.  Further, 
SQTrust  is  resilient  against  misbehaving  nodes.  Given 
the  operational  profile  as  input  covering  a  wide  range 
of  operational  and  environment  conditions,  we  aim  to 
solve  two  problems: 

•  Discover  and  apply  the  best  trust  aggregation  pro¬ 
tocol  setting  of  SQTrust  to  make  "subjective  trust" 
accurate  compared  with  "objective  trust"  despite 
the  presence  of  misbehaving  nodes.  The  desirable 
output  is  to  achieve  high  accuracy  in  peer-to-peer 
subjective  trust  evaluation  with  high  resiliency  to 
malicious  attacks. 

•  Discover  and  apply  the  best  trust  formation  to 
maximize  application  performance.  For  the  mis¬ 
sion-oriented  mobile  group  application,  the  desir¬ 
able  output  is  to  maximize  the  system  reliability 
given  a  system  failure  definition. 

C.  Node  Behavior 

Node  behavior  is  part  of  the  operational  profile. 
While  our  model-based  analysis  technique  is  general¬ 
ly  applicable  to  any  node  behavior  specification,  for 
illustration  we  consider  the  following  node  behavior 
specification  in  this  paper: 

•  Every  node  shall  conserve  its  resources  (e.g.,  en¬ 
ergy)  as  long  as  it  does  not  jeopardize  the  global 
welfare  (i.e.,  successful  mission  execution).  Thus, 
when  a  node  senses  that  it  is  surrounded  by  many 
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uncooperative  1-hop  neighbors,  it  will  tend  to  be¬ 
come  cooperative  to  ensure  successful  mission  ex¬ 
ecution.  On  the  other  hand,  a  node  with  many  co¬ 
operative  1-hop  neighbors  around  will  tend  to  be¬ 
come  uncooperative  to  conserve  its  resources, 
knowing  that  this  will  not  jeopardize  the  global 
welfare. 

•  Every  node  has  a  different  level  of  energy,  speed 
and  vulnerability  reflecting  node  heterogeneity. 
The  energy  consumption  rate  of  a  node  depends 
on  its  status.  If  a  node  is  uncooperative,  the  speed 
of  energy  consumption  is  slowed  down  since  an 
uncooperative  node  will  not  follow  protocol  exe¬ 
cution.  If  a  node  becomes  compromised,  the  speed 
of  energy  consumption  increases  since  a  compro¬ 
mised  node  will  perform  attacks  which  consume 
energy.  A  node's  vulnerability  is  reflected  by  a 
compromised  rate,  e.g.,  a  capture  by  attackers  af¬ 
ter  which  the  node  is  compromised. 

•  A  compromised  node  may  perform  slandering 
attacks,  (e.g.,  good-mouthing  bad  nodes  and  bad- 
mouthing  good  nodes),  identity  attacks  (e.g., 
Sybil)  or  Denial-of-Service  (DoS)  attacks  (e.g.,  con¬ 
suming  resources  unnecessarily  by  disseminating 
bogus  packets).  We  assume  that  a  compromised 
node  will  always  perform  attacks  on  good  nodes 
and  does  not  discriminate  good  nodes  when  per¬ 
forming  attacks. 

D.  Mission-Oriented  Mobile  Groups 

As  an  application  of  SQTrust,  we  apply  it  to  mis¬ 
sion-oriented  mobile  groups.  A  mission-oriented  mo¬ 
bile  group  consists  of  a  number  of  mobile  nodes  coop¬ 
erating  to  complete  a  mission,  with  one  or  more  being 
the  commander  nodes  of  the  group.  Upon  a  member¬ 
ship  change  due  to  join  or  leave,  rekeying  can  be  per¬ 
formed  based  on  a  distributed  key  agreement  protocol 
such  as  the  Group  Diffie-Hellman  (GDH)  protocol 
[33].  For  mission-critical  applications,  it  is  frequently 
required  that  nodes  on  a  mission  must  have  a  mini¬ 
mum  degree  of  trust  for  the  mission  to  have  a  reason¬ 
able  chance  of  success.  On  one  hand,  a  mission  may 
require  a  sufficient  number  of  nodes  to  collaborate. 
On  the  other  hand,  the  trust  relationship  may  fade 
away  between  nodes  both  temporarily  and  spatially. 
SQTrust  equips  each  node  with  the  ability  to  subjec¬ 
tively  assess  the  trust  levels  of  other  nodes  and  select 
highly  trustworthy  nodes  for  collaboration  to  maxim¬ 
ize  the  probability  of  successful  mission  execution. 

3  Design  of  SQTrust 

In  this  section,  we  first  describe  our  SQTrust  protocol 
to  be  executed  by  every  node  at  runtime.  Then  we  dis¬ 
cuss  its  application  to  reliability  assessment  of  a  mis¬ 
sion-oriented  mobile  group  in  MANET  environments. 
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A .  Trust  Composition 

A  node  with  a  very  low  trust  value  is  of  little  value 
to  the  system  and  depending  on  the  application  re¬ 
quirement  may  be  evicted  to  prevent  it  from  perform¬ 
ing  attacks  to  damage  the  system  functionality.  A 
node's  trust  value  is  assessed  based  on  evidences  such 
as  direct  observations  as  well  as  indirect  recommenda¬ 
tions.  Our  trust  model  is  evidence-based.  Thus  we  do 
not  consider  dispositional  belief  or  cognitive  charac¬ 
teristics  of  an  entity  in  deriving  trust.  The  trust  as¬ 
sessment  of  one  node  toward  another  node  is  updated 
periodically. 

Our  trust  metric  consists  of  two  trust  types:  social 
trust  and  QoS  trust.  Social  trust  is  evaluated  through 
interaction  experiences  in  social  networks  to  account 
for  social  relationships.  Note  that  this  work  concerns 
mobile  devices  carried  by  human  users  as  part  of  a 
social  network.  Among  the  many  social  trust  metrics 
such  as  friendship,  honesty,  privacy,  similarity,  be¬ 
tweenness  centrality,  and  social  ties  [13],  we  select 
social  ties  (measured  by  intimacy)  and  honesty 
(measured  by  healthiness)  to  measure  the  social  trust 
level  of  a  node  as  these  social  properties  are  consid¬ 
ered  critical  for  trustworthy  mission  execution  in 
group  settings.  QoS  trust  is  evaluated  through  the 
communication  and  information  networks  by  the  ca¬ 
pability  of  a  node  to  complete  a  mission  assigned. 
Among  the  many  QoS  metrics  such  as  competence, 
cooperation,  reliability,  and  task  performance,  we  se¬ 
lect  competence  (measured  by  energy)  and  protocol 
compliance  (measured  by  cooperativeness  in  protocol 
execution)  to  measure  the  QoS  trust  level  of  a  node 
since  competence  and  cooperation  are  considered  the 
most  critical  QoS  trust  properties  for  mission  execu¬ 
tion  in  group  settings.  Quantitatively,  let  a  node's 
trust  level  toward  another  node  be  a  real  number  in 
the  range  of  [0, 1],  with  1  indicating  complete  trust,  0.5 
ignorance,  and  0  complete  distrust.  Let  a  node's  trust 
level  toward  another  node's  particular  trust  compo¬ 
nent  also  be  in  the  range  of  [0, 1]  with  the  same  physi¬ 
cal  meaning. 

The  rationale  of  selecting  these  social  and  QoS  trust 
metrics  is  given  as  follows.  The  intimacy  component 
(for  measuring  social  ties)  has  a  lot  to  do  with  if  two 
nodes  have  a  lot  of  direct  or  indirect  interaction  expe¬ 
riences  with  each  other,  for  example,  for  packet  rout¬ 
ing  and  forwarding.  The  healthiness  component  (for 
measuring  honesty)  is  essentially  a  belief  of  whether  a 
node  is  malicious  or  not.  We  relate  it  to  the  probability 
that  a  node  is  not  compromised.  The  energy  compo¬ 
nent  refers  to  the  residual  energy  of  a  node,  and  for  a 
MANET  environment,  energy  is  directly  related  to  the 
survivability  capability  of  a  node  to  be  able  to  execute 
a  task  completely,  particularly  when  the  current  and 
future  missions  may  require  a  long  mission  execution 


time.  Finally,  the  cooperativeness  component  of  a 
node  is  related  to  whether  the  node  is  cooperative  in 
routing  and  forwarding  packets.  For  mobile  groups, 
we  relate  it  to  the  trust  to  a  node  being  able  to  faithful¬ 
ly  follow  the  prescribed  protocol  such  as  relaying  and 
responding  to  group  communication  packets. 

Other  than  the  healthiness  trust  component,  we  as¬ 
sert  that  a  node  can  have  fairly  accurate  trust  assess¬ 
ments  toward  its  1-hop  neighbors  utilizing  monitor¬ 
ing,  overhearing  and  snooping  techniques.  For  exam¬ 
ple,  a  node  can  monitor  interaction  experiences  with  a 
target  node  within  radio  range,  and  can  overhear  the 
transmission  power  and  packet  forwarding  activities 
performed  by  the  target  node  over  a  trust  evaluation 
window  At  to  assess  the  target  node's  energy  and  co¬ 
operativeness  status.  For  a  target  node  more  than  1- 
hop  away,  a  node  will  refer  to  a  set  of  recommenders 
for  its  trust  toward  the  remote  target  node. 

B .  Design  against  Slandering  Attacks 

SQtrust  is  resilient  to  good-mouthing  and  bad- 
mouthing  attacks  by  two  recommender  selection  crite¬ 
ria:  (a)  threshold-based  filtering  by  which  only  trustwor¬ 
thy  recommenders  with  trust  higher  than  a  minimum 
trust  threshold  are  qualified  as  recommenders;  and  (b) 
relevance-based  trust  by  which  only  recommenders 
with  high  trust  in  trust  component  X  are  qualified  as 
recommenders  to  provide  recommendations  about  a 
trustee's  trust  component  X. 

C.  SQTrust  Protocol  Description 

The  trust  value  of  node  j  as  evaluated  by  node  i  at 
time  t,  denoted  as  Titj(t),  is  in  the  range  of  [0, 1]  and  is 
computed  by  node  i  as  a  weighted  average  of  intima¬ 
cy,  healthiness,  energy,  and  cooperativeness  trust 
components.  The  assessment  is  done  periodically  in 
every  At  interval.  Specifically  node  i  will  compute 
Ttjit)  by: 

=  xTj(t)  (1) 

X 

where  7$(t)  is  the  trust  belief  of  node  i  toward  node  j 
in  trust  component  X=intimacy,  healthiness,  energy  or 
cooperativeness  and  wx  is  the  weight  associated  with 
X.  Below  we  use  the  notation  w1:w2:w3:w4  for 

wintimacy .  ^healthiness .  ^energy .  wcooperativeness  for 
tational  convenience. 

Node  i  evaluates  node  j  at  time  t  by  direct  observa¬ 
tions  and  indirect  recommendations.  Direct  observa¬ 
tions  are  direct  evidences  collected  by  node  i  toward 
node  j  over  the  time  interval  [t  -  dAt,  t]  when  node  i 
and  node  j  are  1-hop  neighbors  at  time  t.  Here  At  is 
the  trust  update  interval  and  d  is  a  design  parameter 
specifying  the  extent  to  which  recent  interaction  expe¬ 
riences  would  contribute  to  intimacy.  We  can  go  back 
as  far  as  t= 0,  that  is,  d=f/At,  if  all  interaction  experi- 


ences  are  considered  equally  important  Indirect  rec¬ 
ommendations,  on  the  other  hand,  are  indirect  evi¬ 
dences  given  to  node  z  by  a  subset  of  1-hop  neighbors 
selected  based  on  threshold-based  filtering  and  relevance- 
based  trust  selection  criteria.  Specifically,  node  i  will 
compute  T*j(t)  where  X  is  a  trust  component  in  Equa¬ 
tion  1  by: 

W  =  A  Tff™*-  x(t)  +  p2  Tl  ™direct’  *(t)  (2) 


In  Equation  2,  px  is  a  parameter  to  weigh  node  z's 
own  information  toward  node  j  at  time  t,  i.e.,  "direct 
observations"  or  "self-information"  and  /?2  is  a  pa¬ 
rameter  to  weigh  indirect  information  from  recom- 
menders,  i.e.,  "information  from  others,"  with 
Pi  +  P2  =  1-  When/?!  >  p2  it  reflects  a  node's  higher 
confidence  on  its  own  direct  observations  than  indi¬ 
rect  information  obtained  from  third  parties. 

The  direct  trust  part,  7yircct'  *(t),  in  Equation  2  is 
evaluated  by  node  i  at  time  t  depending  on  if  node  i  is 
a  1-hop  neighbor  of  node  j  at  time  t.  If  yes,  node  i  uses 
its  direct  observations  toward  node  j  during  [t  - 
dAt,  t]  to  update  Ttjirect’  x(t)  where  At  is  the  periodic 


trust  evaluation  interval.  Otherwise,  it  uses  its  old  di¬ 
rect  trust  assessment  at  time  t  -  At  multiplied  by 
e~AdAt  (for  exponential  trust  decay  over  time)  to  up¬ 
date  7fjirect'  x(t).  Specifically,  node  i  will  compute 
(0  by: 

)fect'  *(t) 

if  i  is  a  neighbor  to  j  at  t 


Tdirect,  X 

ij 


[Tt,Jh°P  X  (0 


j  e  x  TdjrectJC(t  —  At)  otherwise 


(3) 


To  account  for  trust  decay  over  time,  we  adopt  an 
exponential  time  decay  factor,  e~AdAt,  to  satisfy  the 
desirable  property  that  trust  decay  must  be  invariable 
to  the  trust  update  frequency  [21].  Depending  on  the 
trust  evaluation  interval  At ,  we  can  fine  tune  the  value 
of  A 4  to  test  the  effect  of  trust  decay  over  time.  The 
notation  Tffhop'  x  (t)  here  refers  to  the  new  "direct" 
trust  assessment  at  time  t.  Below  we  describe  specific 
detection  mechanisms  by  which  node  i  collects  direct 
observations  to  assess  7^"/lop'  x(t)  for  the  case  in 
which  i  and  j  are  1-hop  neighbors  at  time  t . 

•  Tljh0Vt  fntimacy(t):  This  refers  to  the  new  as¬ 
sessment  of  node  z's  direct  interaction  experience 
toward  node/.  It  is  computed  by  node  i  by  the  ratio 
of  the  amount  of  time  nodes  i  and  j  are  1-hop 
neighbors  directly  interacting  with  each  other  dur¬ 
ing  [t  -  dAt,  t]. 

•  T^fhop'  hcalthiness This  refers  to  the  belief  of 
node  i  that  node  j  is  healthy  based  on  node  z's  di¬ 
rect  observations  during  [t  —  dAt,t\.  Node  z  esti¬ 
mates  T^Jhop'  healthiness  (t)  by  the  ratio  of  the  num¬ 
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ber  of  suspicious  interaction  experiences  observed 
during  [t  -  dAt,  t]  to  a  system  "healthiness" 
threshold  to  reduce  false  positives.  Node  z  uses  a 
set  of  anomaly  detection  rules  including  the  inter¬ 
val  rule  (for  detecting  node  /' s  sending  bogus  mes¬ 
sages),  the  retransmission  rule  (for  detecting  node 
fs  dropping  messages),  the  integrity  rule  (for  de¬ 
tecting  node  fs  modifying  messages),  the  repeti¬ 
tion/jamming  rule  (for  detecting  node/'s  perform¬ 
ing  DOS  attacks),  and  the  delay  rule  (for  detecting 
node  fs  delaying  message  transmission)  as  in  [32] 
to  keep  a  count  of  suspicious  experiences  of  node  j 
during  [t  —  dAt,  t].  If  the  count  exceeds  the  "health¬ 
iness"  threshold,  node  z  considers  node  j  as  totally 
unhealthy,  i.e.,  T^fhop'  healthiness  (t)=0.  Otherwise  it 
is  equal  to  1  minus  the  ratio.  We  model  the  defi¬ 
ciencies  in  anomaly  detection  (e.g.,  imperfection  of 
rules)  by  a  false  negative  probability  (Pfn)  of  misi- 
dentifying  an  unhealthy  node  as  a  healthy  node, 
and  a  false  positive  probability  (PfP)  of  misidentify- 
ing  a  healthy  node  as  an  unhealthy  node. 

•  Ti  fhop’  ener3y(t):  This  refers  to  the  belief  of  node 
z  that  node  fs  energy  is  adequate  and  hence  is 
competent  providing  proper  services  at  time  t. 
Node  z  overhears  node  fs  packet  transmission  ac¬ 
tivities  during  [t  —  dAt,  t]  utilizing  an  energy  con¬ 
sumption  model  [15]  to  first  compute  the  amount 
of  energy  consumed  by  node  j  during  [t  -  dAt,  t] 
and  then  deduce  the  residual  energy  left  in  node  j 
at  time  t  by  extrapolation. 

•  Tlfh°Pt  ^operativeness  {ty  ^  prQvides  ^  beHef 

of  node  z  that  node;  is  protocol  compliant  based  on 
direct  observations  during  [t  -  dAt,t],  Node  z  esti¬ 
mates  cooperativeness  (t)hy  ^  ^  Qf  fte 

number  of  cooperative  interaction  experiences  to 
the  total  number  of  protocol  interaction  experienc¬ 
es.  Note  that  both  counts  are  related  to  protocol  ex¬ 
ecution  except  that  the  former  count  is  for  positive 
experiences  when  node  /,  as  observed  by  node  z, 
cooperatively  follows  the  prescribed  protocol  exe¬ 
cution. 

The  indirect  trust  part,  Tfj1*1™0*'  x(t )  in  Equation  2 
is  evaluated  by  node  z  at  time  t  by  taking  in  recom¬ 
mendations  from  a  subset  of  1-hop  neighbors  selected 
following  the  threshold-based  filtering  and  relevance- 
based  trust  selection  criteria.  Specifically,  node  z  will 
compute  T{jdirect'  x(t)  by: 


rindirect,  X 


(0 


nr 


if  nr  >  0 


(4) 


e-***  x  T{jdirect,x (t  -  At)  if  nr  =  0 


In  Equation  4,  m  is  a  recommender  and  V  is  a  set  of 
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TV  recommenders  chosen  by  node  i  from  its  1-hop 
neighbors  which  satisfy  the  threshold-based  filtering  and 
relevance-based  trust  selection  criteria.  That  is,  these  are 
the  recommenders  for  which  node  i's  in  trust 

component  X  is  higher  than  a  minimum  threshold 
denoted  by  Tf.  Here  we  note  that  when  a  recom- 
mender  node,  say,  node  m,  provides  its  recommenda¬ 
tion  to  node  i  for  evaluating  node  /  in  trust  component 
X,  node  i's  trust  in  node  m  is  also  taken  into  considera¬ 
tion  in  the  calculation  as  reflected  in  the  product  term 
on  the  right  hand  side  of  Equation  4.  This  accounts  for 
trust  decay  over  space.  If  nr= 0  then  Tljdirect'  *(t)  = 
e-xdit  x  ^indirect,  x^t  _  At)  to  account  for  trust  decay 

over  time. 

Lastly,  depending  on  the  mobile  application,  nodes 
in  a  mobile  group  may  join  or  leave  the  mobile  group. 
For  a  non-member,  say,  node/,  the  trust  level  Titj(t)  is 
the  same  as  its  trust  level  at  the  last  trust  evaluation 
instant  t  -  At  discounted  by  time  decay,  that  is, 
TtjQQ  =  e~^  x  Tu(t  -  At). 

An  interesting  metric  is  the  average  "subjective" 
trust  of  node  /  in  trust  component  X  at  time  t, 
TjSUb,x(t),  as  evaluated  by  all  active  member  nodes  in 
the  system.  It  can  be  calculated  by  a  weighted  average 
of  trust  component  X  from  all  active  member  nodes 
except  node/,  i.e., 

rpsub.x  s.\  _  Sail  ) 

'  (,)  — W"  <5) 

Another  interesting  metric  is  the  overall  average 
"subjective"  trust  level  of  node;,  denoted  by  Tfub(t), 
as  evaluated  by  all  active  nodes.  Once  we  obtain 
from  Equation  1,  Tfub(t )  can  be  computed  by: 

Tsubm  _  ,,, 

1  (t)’  (6) 

In  this  paper,  we  compare  Tfub(t)  with  the  "objec¬ 
tive"  trust  of  node  /,  denoted  by  Tj0b*(t),  calculated 
based  on  actual,  global  information  to  see  how  much 
deviation  subjective  trust  evaluation  is  from  objective 
trust  evaluation.  Specifically,  let  Tj0bJ,x(t )  denote  the 
"objective"  trust  of  node  /  in  trust  component  X  at 
time  t,  which  we  can  obtain  by  a  mathematical  model 
(see  Section  4  below).  Then,  following  Equation  1, 
Tj0bJ(t)  is  calculated  by: 

T°b>  (t)  =  ^  w*  x  7}  obi’x(t)  (7 

X 

By  means  of  a  novel  mathematical  model  (dis¬ 
cussed  later  in  Section  4)  describing  node  behaviors  in 
a  MANET,  we  can  calculate  the  objective  trust  levels 
of  all  nodes  in  the  system  based  on  actual  status  of 
nodes.  This  serves  as  the  basis  for  validating  SQTrust. 


D.  Mission-Oriented  Mobile  Group  Applications 

We  consider  mission-oriented  mobile  groups  as  an 
application  of  SQTrust.  In  military  battlefield  situa¬ 
tions,  very  frequently  a  commander  (a  special  node  in 
a  MANET)  will  need  to  assemble  and  dynamically 
manage  a  mobile  task  group  to  achieve  a  critical  mis¬ 
sion  assigned  despite  failure,  disconnection  or  com¬ 
promise  of  member  nodes.  A  commander  node,  say 
node  i,  can  use  Ti  ;(t)  based  on  its  own  local  view  to¬ 
wards  node  /  as  an  indicator  to  judge  if  node  /  satisfies 
the  mission-specific  trust  requirements  for  successful 
mission  execution.  More  importantly,  the  commander 
node  could  obtain  the  mission  success  probability  (as 
a  reliability  metric)  when  given  knowledge  regarding 
the  mission  failure  definition,  member  failure  defini¬ 
tion  and  mission  time. 

Let  R(t)  be  the  mission  reliability  given  that  the 
mission  time  is  t.  Then,  the  mission  success  probabil¬ 
ity,  denoted  by  Pmission /  is  simply  R(TR )  when  the 
commander  is  given  TR  as  the  mission  time,  i.e., 

Pmission  =  R(TR)  (8) 

The  mission  failure  definition  is  application  depend¬ 
ent.  Assume  that  the  commander  node  is  fault-free 
because  of  high  integrity  and  high  security  protection. 
Also  assume  that  the  mission  fails  if  at  least  n-k+1  out 
of  n  members  (trustees)  fail.  Let  fy(t)  be  member  fs 
reliability  at  time  t.  Then, 

*(0  =  in  wflci-W))  (9) 

\J\>k\jej  yey  / 

The  member  failure  definition,  on  the  other  hand, 
hinges  on  trustworthiness  of  each  individual  member. 
Suppose  there  are  two  trust  thresholds:  Mi  is  a  trust 
threshold  above  which  a  member  is  considered  com¬ 
pletely  trustworthy  for  successful  mission  completion 
and  M2  is  a  drop  dead  trust  level  below  which  a 
member  is  completely  not  trustworthy.  Below  we  give 
a  possible  definition  of  member  failure  based  on  dual 
trust  thresholds,  Mx  and  M2,  defined  above.  Specifical¬ 
ly,  if  at  any  time  t,  node  fs  trust  level  is  above  Mt  then 
node  /  is  completely  trustworthy,  so  its  instantaneous 
trustworthiness,  denoted  by  Xy(t),  is  1.  If  node  fs  trust 
level  is  below  M2  then  node  /  is  completely  untrust¬ 
worthy,  so  Xj(t)  is  0.  If  node  fs  trust  level  is  in  be¬ 
tween  Mx  and  M2  then  node  fs  instantaneous  trust¬ 
worthiness  is  calculated  as  the  ratio  of  its  trust  level  to 
Mv  The  commander  node,  node  /,  computes  member 
fs  reliability  fy(t)  based  on  node  fs  instantaneous 
trustworthiness  over  [0,  t].  If  at  any  time  t'  <  t, 
Xy(t')  =  0,  then  the  trust  level  of  node  /  is  not  accepta¬ 
ble,  so  Rj(t)  is  0;  otherwise,  Rj(t)  is  the  average  trust¬ 
worthiness  of  node  /  over  [0,  t].  Summarizing  above, 
node  i  computes  member  fs  reliability  Rj(t)  by: 


(  0,  if  Xj(t')  =  0  for  any  t'  <  t 

\  E[Xj(t')],  t '  <  t,  otherwise 

(  1,  (10) 

with  Xj(t')  =  j  0,  if  <  M2 

[Tij(t,)/Mv  otherwise 

Here  Xy(t')  is  the  instantaneous  trustworthiness  of 
node;  at  time  V  and  E[Xj(t')\  is  the  expected  value  of 
Xj(t'),  0<tr<t,  over  [0,  t].  One  can  see  that  the 
knowledge  of  7y(t)  is  very  desirable  for  the  com¬ 
mand  node  to  compute  PmiSsion  given  knowledge  re¬ 
garding  the  mission  execution  time,  member  failure 
definition,  and  mission  failure  definition. 

4  Performance  Model 

Our  analysis  methodology  is  model-based  and 
hinges  on  the  use  of  a  SPN  mathematical  model  to 
probabilistically  estimate  node  status  over  time,  given 
an  anticipated  operational  profile  as  input.  The  SPN 
outputs  provide  ground  truth  node  status  and  can 
serve  as  the  basis  for  "objective"  trust  evaluation.  Our 
goal  is  to  compare  "subjective"  trust  obtained  through 
protocol  execution  with  "objective"  trust  obtained 
through  the  SPN  outputs  to  provide  a  sound  theoreti¬ 
cal  basis  for  validating  the  algorithm  design  for 
SQTrust. 

A.  Node  SPN  for  Modeling  Node  Behavior 

Figure  1  shows  the  "node"  SPN  model  developed 
for  describing  the  lifetime  behavior  of  a  mobile  node 
in  the  presence  of  other  uncooperative  and  malicious 
nodes  in  a  mobile  group  following  the  input  opera¬ 
tional  profile.  The  system  SPN  model  consists  of  N 
node  SPN  models  where  N  is  the  number  of  nodes  in 
the  system.  We  utilize  the  node  SPN  model  to  obtain  a 
single  node's  information  (e.g.,  intimacy,  healthiness, 
energy,  and  cooperativeness)  and  to  derive  its  trust 
relationships  with  other  nodes  in  the  system.  It  also 
captures  location  information  of  a  node  as  a  function 
of  time.  We  consider  a  square-shaped  operational  area 
consisting  of  M*M  regions  each  with  the  width  and 
height  equal  to  radio  radius  R.  The  node  mobility 
model  is  specified  as  part  of  the  operational  profile. 


K  Member 


T_LOCATION  TJOIN  T_LEAVE 
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Figure  1:  Node  SPN  Model. 

The  reason  of  using  node  SPN  models  is  to  yield  a 
probability  model  (a  semi-Markov  chain  [30],  [36])  to 
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model  the  stochastic  behavior  of  nodes  in  the  system, 
given  the  system's  anticipated  operational  profile  as 
input.  The  theoretical  analysis  yields  objective  trust 
based  on  ground  truth  of  node  status,  against  which 
subjective  trust  as  a  result  of  executing  our  proposed 
trust  protocol  is  compared.  This  provides  the  theoret¬ 
ical  foundation  that  subjective  trust  (from  protocol 
execution)  is  accurate  compared  with  ground  truth. 
The  underlying  semi-Markov  chain  [30],  [36]  has  a 
state  representation  comprising  "places"  in  the  SPN 
model.  A  node's  status  is  indicated  by  a  5-component 
state  representation  ( Location ,  Member ,  Energy,  CN, 
UNCOOP)  with  " Location "  (an  integer)  indicating  the 
current  region  the  node  resides,  " Mernbe r"  (a  boolean 
variable)  indicating  if  the  node  is  a  member,  " Energy " 
(an  integer)  indicating  the  current  energy  level,  "CAT' 
(a  boolean  variable)  indicating  if  the  node  is  compro¬ 
mised,  and  "UNCOOF'  (a  boolean  variable)  indicat¬ 
ing  if  the  node  is  cooperative.  For  example,  place  Loca¬ 
tion  is  a  state  component  whose  value  is  indicated  by 
the  number  of  "tokens"  in  place  Location.  A  state  tran¬ 
sition  happens  in  the  semi-Markov  chain  when  a 
move  event  occurs  with  the  event  occurrence  time 
interval  following  a  probabilistic  time  distribution 
such  as  exponential,  Weibull,  Pareto,  and  hyper¬ 
exponential  distributions.  This  is  modeled  by  a  "tran¬ 
sition"  with  the  corresponding  firing  time  in  the  SPN 
model.  For  example,  when  the  node  moves  across  a 
regional  boundary  after  its  residence  time  in  the  pre¬ 
vious  region  elapses,  transition  TJLOCATION  will  be 
triggered,  thus  resulting  in  a  location  change.  This  is 
reflected  by  flushing  all  the  tokens  in  place  Location 
and  replacing  by  a  number  of  tokens  corresponding  to 
the  id  of  the  new  region  it  moves  into.  After  the  move, 
the  value  of  " Location "  will  be  the  id  of  the  new  region 
it  moves  into.  Thus  the  three  primary  entities,  i.e., 
places,  tokens,  and  transitions,  allow  the  node  SPN 
model  to  be  constructed  to  describe  a  node's  lifetime 
behavior  dynamically  as  time  evolves.  Below  we  ex¬ 
plain  how  we  construct  the  node  SPN  model. 

Location:  Transition  TJLOCATION  is  triggered 
when  the  node  moves  to  another  region  from  its  cur¬ 
rent  location  with  the  rate  calculated  as  Sinit/R  (i.e., 
the  node's  mobility  rate)  based  on  an  initial  speed 
(Sinit)  and  wireless  radio  range  (R).  Depending  on  the 
location  a  node  moves  into,  the  number  of  tokens  in 
place  Location  is  adjusted.  Initially  for  simplicity  nodes 
are  randomly  distributed  over  the  operational  area 
based  on  uniform  distribution.  Suppose  that  nodes 
move  randomly.  Then  a  node  randomly  moves  to  one 
of  four  locations  in  four  directions  (i.e.,  north,  west, 
south,  and  east)  in  accordance  with  its  mobility  rate. 
To  avoid  end-effects,  movement  is  wrapped  around 
(i.e.,  a  torus  is  assumed).  The  underlying  semi- 
Markov  model  of  the  node  SPN  model  when  solved 
utilizing  solution  techniques  such  as  SOR,  Gauss 
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Seidel,  or  Uniformization  [36]  gives  the  probability 
that  a  node  is  at  a  particular  location  at  time  t,  e.g.,  the 
probability  that  node  i  is  located  in  region  j  at  time  t. 
This  information  along  with  the  location  information 
of  other  nodes  at  time  t  provides  global  information  if 
two  nodes  are  1-hop  neighbors  at  time  t. 

Intimacy:  Intimacy  trust  is  an  aggregation  of  direct 
interaction  experience  (Ti/irect>  ™timacy(t))  and  indirect 
interaction  experience  (Tjf  direct,  intimacy (*)).  Out  of  these 
two,  only  new  direct  interaction  experience  (Ti/irect> 
intimacy ^  via  j^-Uwp,  intimacy (ty  {s  calculated  based  on  if 
two  nodes  are  1-hop  neighbors  interacting  with  each 
other  via  packet  forwarding  and  routing.  Since  the 
node  SPN  model  gives  us  the  probability  that  a  node 
is  in  a  particular  location  at  time  t,  we  can  objectively 
compute  direct  interaction  experience 
7,1-hop,  intimacy  ^  (see  pqUatjon  3)  based  on  the  prob¬ 
ability  of  nodes  i  and  j  are  in  the  same  location  at  time 
t  from  the  output  of  the  two  SPN  models  associated 
with  nodes  i  and  j. 

Energy:  Place  Energy  represents  the  current  energy 
level  of  a  node.  An  initial  energy  level  of  each  node  is 
assigned  differently  to  reflect  node  heterogeneity.  We 
randomly  generate  a  number  between  12  to  24  hours 
based  on  uniform  distribution,  representing  a  node's 
initial  energy  level  Emit.  Then  we  put  a  number  of  to¬ 
kens  in  place  Energy  corresponding  to  this  initial  en¬ 
ergy  level.  A  token  is  taken  out  when  transition 
T_ENERGY  fires.  The  transition  rate  of  T_ENERGY  is 
adjusted  on  the  fly  based  on  a  node's  state:  it  is  lower 
when  a  node  becomes  uncooperative  to  save  energy 
and  is  higher  when  the  node  becomes  compromised 
so  that  it  performs  attacks  more  and  consumes  energy 
more.  Therefore,  depending  on  the  node's  status,  its 
energy  consumption  is  dynamically  changed. 

Healthiness:  A  node  is  compromised  when  transi¬ 
tion  T_COMPRO  fires.  The  rate  to  transition 
T_COMPRO  is  Xcom  as  the  node  compromising  rate 
(or  the  capture  rate)  reflecting  the  hostility  of  the  ap¬ 
plication.  If  the  node  is  compromised,  a  token  goes  to 
CN,  meaning  that  the  node  is  already  compromised 
and  may  perform  good-mouthing  and  bad-mouthing 
attacks  as  a  recommender  by  good-mouthing  a  bad 
node  with  a  high  trust  recommendation  and  bad- 
mouthing  a  good  node  with  a  low  trust  recommenda¬ 
tion. 

Cooperativeness:  Place  UNCOOP  represents 
whether  a  node  is  cooperative  or  not.  If  a  node  be¬ 
comes  uncooperative,  a  token  goes  to  UNCOOP  by 
triggering  T, UNCOOP.  We  model  a  node's  uncoop¬ 
erativeness  behavior  following  the  'node  behavior' 
model  discussed  in  Section  2.  Specifically,  the  rate  to 
transition  TJLJNCOOP  is  modeled  as  a  function  of  its 
remaining  energy,  the  mission  difficulty,  and  the 
neighborhood  uncooperativeness  degree  as  follows: 


rate  (T_U  N  COOP) 

_  fe  (E remain )/m  difficulty  ) fs  degree  )  (11) 

T9C 

where  Eremain  represents  the  node's  current  energy 
level  as  given  in  mark(Energy),  Mdifficulty  is  the  diffi¬ 
culty  level  of  the  given  mission,  Sdegree  is  the  degree 
of  uncooperativeness  computed  based  on  the  ratio  of 
uncooperative  nodes  to  cooperative  nodes  among  1- 
hop  neighbors  and  he  is  the  group  communication 
interval  over  which  a  node  may  decide  to  become  un¬ 
cooperative  in  protocol  execution  and  drop  packets. 
The  form  f(x)  =  ax ~£  follows  the  demand-pricing 
relationship  in  Economics  [4]  to  model  the  effect  of  its 
argument  x  on  the  uncooperative  behavior,  including: 

•  fe(Eremain):  If  a  node  has  a  lower  level  of  ener¬ 
gy,  it  is  less  likely  to  be  cooperative.  This  is  to  con¬ 
sider  a  node's  individual  utility  in  resource- 
constrained  environments. 

•  fm(M difficulty)'-  If  a  node  is  assigned  to  a  more 
difficult  mission,  it  is  more  likely  to  be  cooperative 
to  ensure  successful  mission  execution. 

•  fs{Sdegree):  If  a  node's  1-hop  neighbors  are  not 
very  cooperative,  the  node  is  more  likely  to  be  co¬ 
operative  to  complete  a  given  mission  successfully. 

A  compromised  node  is  necessarily  uncooperative  as 
it  won't  follow  the  protocol  execution  rules.  So  if  place 
CN  contains  a  token,  place  UNCOOP  will  also  contain 
a  token. 


B.  Objective  Trust  Evaluation 

With  the  node  behaviors  modeled  by  a  probability 
model  (a  semi-Markov  chain)  described  above,  the 
objective  trust  evaluation  of  node  j  in  trust  component 
X,  i.e.,  T°bi*(t),  can  be  obtained  based  on  exact  global 
knowledge  about  node  j  as  modeled  by  its  node  SPN 
model  that  has  met  the  convergence  condition  with 
the  location  information  supplied.  To  calculate  each  of 
these  objective  trust  probabilities  of  node  j,  one  would 
assign  a  reward  of  rs  with  state  s  of  the  underlying 
semi-Markov  chain  of  the  SPN  model  to  obtain  the 
probability  weighed  average  reward  as: 

7}°bM(t)  =  Esejfo  *  m)  (12) 

for  X  =  healthiness,  energy  or  cooperativeness,  and  as: 

_  ft-dAtEs€s(r5*Ps(tQ)rit'  (13) 

for  X  =  intimacy.  Here  S  indicates  the  set  of  states  in 
the  underlying  semi-Markov  chain  of  our  SPN  model, 
rs  is  the  reward  to  be  assigned  to  state  s,  and  P5(t)  is 
the  probability  that  the  system  is  in  state  s  at  time  t, 
which  can  be  obtained  by  solving  the  underlying 
semi-Markov  model  of  our  SPN  model  utilizing  solu¬ 
tion  techniques  such  as  SOR,  Gauss  Seidel,  or  Uni¬ 
formization  [36].  Table  1  summarizes  specific  reward 
assignments  used  to  calculate  TobJX(t)  for 


X=intimacy/  healthiness,  energy,  or  cooperativeness. 
In  Table  1,  ET  is  the  energy  threshold  below  which  the 
energy  trust  toward  a  node  goes  to  0.  Once  Tj0b^,x(t)  is 
obtained,  we  compute  the  average  objective  trust  val¬ 
ue  of  node;,  Tj0bJ(t),  based  on  Equation  7. 

Here  we  note  that  in  Table  1  we  assign  a  binary 
trust  value  of  0  or  1  to  a  state  in  which  it  is  clear  in  this 
particular  state  the  trust  value  is  either  0  or  1.  Since 
the  system  evolves  over  time  and  there  is  a  probability 
that  it  may  stay  at  any  state  at  time  t  with  all  state 
probabilities  sum  to  1,  the  expected  value  of  a  trust 
property  (intimacy,  healthiness,  energy  or  coopera¬ 
tiveness)  at  time  t  based  on  a  state-probability- 
weighted  trust  calculation  is  a  real  number  between  0 
and  1. 

C.  Subjective  Trust  Evaluation 

Unlike  objective  trust  evaluation,  subjective  trust 
evaluation  is  based  on  Equations  1-4  following  the 
trust  protocol  execution.  In  particular,  in  Equation  3,  a 
node  must  assess  T^Jhop>  *(t)  of  its  1-hop  neighbors 
using  the  detection  mechanisms  for  trust  component 
X  described  in  Section  3.  Because  the  assessment  is 
direct,  assuming  that  the  detection  mechanisms  are 
effective,  Ty~hop,x(t)  computed  by  node  i  will  be  close 
to  actual  status  of  node  ;  at  time  t,  which  can  be  ob¬ 
tained  from  the  SPN  model  output.  We  assert  that  all 
detection  mechanisms  (discussed  in  Section  3)  are  ef¬ 
fective  and  accurate,  except  for  the  anomaly  detection 
mechanisms  for  detecting  unhealthiness  because  of 
imperfection  in  anomaly  detection,  causing 
Tijh °V>  healthlness  (t)  to  deviate  from  the  actual  health¬ 
iness  status  of  node  ;.  The  imperfection  is  accounted 
for  by  considering  the  false  alarm  probabilities  of 
anomaly  detection  mechanisms  employed,  i.e.,  a  false 
negative  probability  (Pfij)  and  a  false  positive  proba¬ 
bility  (PfP),  given  as  input  to  the  system.  Both  Pfn  and 
Pfp  can  be  obtained  from  the  provider  of  specific 
anomaly  detection  mechanisms,  e.g.,  [32].  Both  must 
be  sufficiently  low  (e.g.,  less  than  5%)  for  the  anomaly 
detection  mechanisms  to  be  considered  as  a  valid  de¬ 
sign. 

With  these  key  observations,  we  leverage  SPN  out¬ 
puts  reflecting  actual  status  of  nodes  to  predict 
T}jhop’  x(t)  which  would  be  obtained  by  node  i  at 
runtime.  Table  2  gives  specific  reward  assignments 
used  to  compute  T^Jhop'  x(t).  Here  we  note  that  when 
computing  T^Jh°Pt  healthiness^  «n  orcjer  to  account  for 

the  imperfection  of  the  anomaly  detection  mecha¬ 
nisms  employed  for  detecting  unhealthiness,  instead 
of  assigning  a  reward  of  1  if  node  ;  is  not  compro¬ 
mised,  i.e.,  mark(j's  CN)  =  0,  we  assign  a  reward  of  1- 
Pfp  to  account  for  the  false  positive  probability.  Also 


Table  1:  Reward  Assignments  for  Objective  Trust  Evaluation. 


Component  trust 
probability  toward 
node  j 

rs :  reward  assignment  to  state  s 

j,obj.  Intimacy  ^ 
j,  obi, healthiness  ^ 
job  j, energy  ^ 

pob  j  .cooperativeness 

1  if  mark(J's  location )  is  within  a  5- 
region  neighbor  area  at  time  t;  0  otherwise 

1  if  ( markij’s  CN)  =  0);  0  otherwise 

1  if  (markij's  Energy)  >  ET );  0  other¬ 
wise 

1  if  (mark(j's  UN  COOP)  =  0);  0  other¬ 
wise 

Table  2:  Reward  Assignments  for  Subjective  Trust  Evaluation. 

Component  trust 
probability  of  node 
i  toward  node  j 

rs :  reward  assignment  to  state  s 

j,l-hop,intimacy  ^ 

rp  l -hop, healthiness  ✓ .  x 
ll,j  w 

•p* -hop, energy  ^ 

rpl-hop.cooperativeness  ✓ .  x 
lt,j  \l) 

1  ifi  andj  are  1-hop  neighbors  within  last 
dAt ;  0  otherwise 

1  -PfV  if(mark(j's  CN)  =  0);  Pfn  otherwise 

1  if  ( mark(fs  Energy)  >  ET );  0  other¬ 
wise 

1  if  (mark(j’s  UNCOOP)  =  0);  0  other¬ 
wise 

instead  of  assigning  a  reward  of  0  if  node  ;  is  com¬ 
promised,  i.e.,  mark(j's  CN)  =  1,  we  assign  a  reward  of 
Pf*n  to  account  for  the  false  negative  probability.  All 
other  reward  assignments  for  X=intimacy,  energy, 
and  cooperativeness  simply  yield  the  actual  status  of 
node  j  in  trust  component  X  at  time  f. 

When  node  i  obtains  T^Jh0Pt  *(t),  it  computes 
pdjrect,  x ^  from  pqUa£jon  3  Then  node  i  computes 
rpindirect,  x ^  basecj  on  Equation  4,  as  well  as  Ttj(t) 
and  Titj(t )  from  Equations  2  and  1,  respectively.  Final¬ 
ly,  the  overall  average  subjective  trust  values  of  node 
;,  T)SUb,x(i)  and  T^it),  can  be  obtained  through  Equa¬ 
tions  5  and  6,  respectively.  We  compare  7}suZ?(t)  with 
objective  trust  7)0&7  (t)  for  validating  SQTrust  design. 

5  Evaluation  Results 

A.  Operational  Profile  as  Input 

Table  3:  Operational  Profile  for  a  Mobile  Group  Application. 


Parameter  Value  Parameter  Value 


#  of  regions 

6x6 

R 

250m 

area 

1250mxl250m 

Einit 

[12,  24]  hrs 

Sinit 

(0, 2]  m/sec. 

e 

1.2 

1/ •Icom 

18  hrs 

a 

0.8 

TSc 

120  sec. 

pH  pH 

_ Sr: lice— 

0.5% 

Table  3  lists  the  parameter  set  and  their  default  values 
specifying  the  operational  profile  given  as  input  for 
testing  SQTrust  for  a  mobile  group  application  in 
MANET  environments.  We  populate  a  MANET  with 
150  nodes  moving  randomly  with  speed  Simt  m  the 
range  of  (0,  2]  m/s  in  a  6x6  operational  region  in  a 
1250mxl250m  area,  with  each  region  covering 
R=250m  radio  radius.  The  environment  being  consid¬ 
ered  is  assumed  hostile  and  insecure  with  the  average 
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♦  objective  trust 

— •—  subjective  trust  -  90%  direct  evaluation 
— subjective  trust  -  80%  direct  evaluation 
h .  subjective  trust  -  70%  direct  evaluation 


subjective  trust  -  60%  direct  evaluation 


time  (min.) 

Figure  2:  Overall  Trust  Evaluation:  Subjective  Trust  is  Most  Ac¬ 
curate  When  using  85%  Direct  Trust  Evaluation  (fil:fi2=0.85:0.15 ). 

compromising  rate  X com  set  to  once  per  18  hours.  Each 
node's  energy  is  in  the  range  of  [12,  24]  hours.  Further 
each  node  observes  the  node  behavior  model  as  speci¬ 
fied  in  Section  2.C  and  Section  4.A  with  5=1.2,  a=0.8 
and  TgC= 120  sec.  Initially  all  nodes  are  not  compro¬ 
mised.  When  a  node  turns  malicious,  it  performs 
good-mouthing  and  bad-mouthing  attacks,  i.e.,  it  will 
provide  the  most  positive  recommendation  (that  is,  1) 
toward  a  bad  node  to  facilitate  collusion,  and  con¬ 
versely  the  most  negative  recommendation  (that  is,  0) 
toward  a  good  node  to  ruin  the  reputation  of  the  good 
node.  The  initial  trust  level  is  set  to  1  for  healthiness, 
energy  and  cooperativeness  because  all  nodes  are  con¬ 
sidered  trustworthy  initially.  The  initial  trust  level  of 
intimacy  is  set  to  the  probability  that  a  node  is  found 
to  be  in  a  5-region  neighbor  area  relative  to  6x6  re¬ 
gions  in  accordance  with  the  intimacy  definition. 

Given  this  operational  profile  as  input  to  the  mo¬ 
bile  group  application,  we  aim  to  identify  the  best  set¬ 
ting  of  f}\:  2  (with  higher  (h  meaning  more  direct  ob¬ 
servations  or  self-information  being  used  for  subjec¬ 
tive  trust  evaluation)  under  which  subjective  trust  is 
closest  to  objective  trust  We  also  aim  to  identify  the 
best  setting  of  wa:  w2:  w3:  w4  (the  weight  ratio  for  the  4 
trust  components  considered),  and  Mi  and  M2  (the 
minimum  trust  level  and  drop-dead  trust  level)  under 
which  the  application  performance  is  maximized.  For 
trust  protocol  execution,  we  set  the  decay  coefficient 
Xd  =  0.001,  and  the  trust  evaluation  interval  At  =  20 
min,  resulting  in  e~^dLt  =  0.98  to  model  small  trust 
decay  over  time.  Also  the  minimum  recommender 
threshold  T*  is  set  to  0.6,  the  trust  evaluation  window 
size  d  is  set  to  2,  and  the  minimum  energy  trust 
threshold  Et  is  set  to  0. 

B.  Identifying  SQTrust  Protocol  Settings  for  Accurate 
Peer-to-Peer  Subjective  Trust  Evaluation 

Figure  2  shows  the  node's  overall  trust  values  ob¬ 
tained  from  subjective  trust  evaluation  vs.  objective 
trust  evaluation,  i.e.,  vs.  Tj0bJ\t),  for  the  equal- 


weight  ratio  case  as  a  function  of  time,  with  pi:  p 2 
varying  from  0.6:  0.4  (60%  direct  evaluation:  40%  indi¬ 
rect  evaluation)  to  0.9:  0.1  (90%  direct  evaluation:  10% 
indirect  evaluation).  The  10%  increment  in  pi  allows 
us  to  identify  the  best  pi:  p2  ratio  under  which  subjec¬ 
tive  trust  is  closest  to  objective  trust.  We  see  that  sub¬ 
jective  trust  evaluation  results  are  closer  and  closer  to 
objective  trust  evaluation  results  as  we  use  more  con¬ 
servative  direct  observations  or  self-information  for 
subjective  trust  evaluation.  However,  there  is  a  cutoff 
point  (at  about  85%)  after  which  subjective  trust  eval¬ 
uation  overshoots.  This  implies  that  using  too  much 
direct  observations  for  subjective  trust  evaluation 
could  overestimate  trust  because  there  is  little  chance 
for  a  node  to  use  indirect  observations  from  trustwor¬ 
thy  recommenders.  Our  analysis  allows  such  a  cutoff 
point  to  be  determined  given  design  considerations 
regarding  trust  decay  over  time  (e“AdAt  =  0.98  for 
direct  trust  decay  in  our  case  study). 

C.  Identifying  Best  Trust  Formation  Setting  to  Max¬ 
imize  Application  Performance 

We  consider  a  mission-oriented  mobile  group  applica¬ 
tion  scenario  in  which  a  commander  node,  say  node  i, 
dynamically  selects  n  nodes  (n= 5  in  the  case  study) 
which  it  trusts  most  out  of  active  mobile  group  mem¬ 
bers  for  mission  execution.  We  consider  dynamic  team 
membership  such  that  after  each  trust  evaluation 
window  At  the  commander  will  reselect  its  most 
trusted  nodes  composing  the  team  for  mission  execu¬ 
tions  based  on  its  peer-to-peer  subjective  evaluation 
values  Ti  j(t )  toward  nodes  j's  as  calculated  from 
Equation  1.  The  rationale  behind  dynamic  member¬ 
ship  is  that  the  commander  may  exercise  its  best 
judgment  to  select  n  most  trusted  nodes  to  increase 
the  probability  of  successful  mission  execution.  As¬ 
sume  that  all  n  nodes  selected  at  time  t  are  critical  for 
mission  execution  during  [t,  f+At]  so  that  if  any  one 
node  selected  fails,  the  mission  fails.  We  can  then  ap¬ 
ply  Equations  8  and  9  to  compute  PmisSi0n  over  an  in¬ 
terval  [ t ,  f+At].  Since  all  time  intervals  are  connected 
in  a  series  structure,  PmiSsion  over  the  overall  mission 
period  [0,  TR]  can  be  computed  by  the  product  of  in¬ 
dividual  Pmission  s  over  intervals  [0,  At],  [At, 2 At],  ..., 
[TR-At,  TR]. 

Figure  3  shows  the  mission  success  probability 
P mission  as  a  function  of  mission  completion  deadline 
TR.  To  examine  the  effect  of  wt:  w2:w3:w4  (the  weight 
ratio  for  the  4  trust  components  considered  in  this  pa¬ 
per),  we  consider  5  test  cases:  (a)  equal-weight ,  (b)  social 
trust  only,  (c)  QoS  trust  only,  (d)  more  social  trust,  and 
(e)  more  QoS  trust  as  listed  in  Table  4  with  (Mi,  M2)  set 
to  (0.85,  0.55)  to  isolate  its  effect. 

For  all  test  cases  we  see  that  as  TR  increases,  the 
mission  success  probability  decreases  because  a  long¬ 
er  mission  execution  time  increases  the  probability  of 
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low-trust  nodes  (whose  population  increases  over 
time  because  of  cooperativeness  or  healthiness  trust 
decay)  becoming  members  of  the  team  for  mission 
execution.  For  comparison,  the  mission  success  prob¬ 
ability  Pmission  based  on  objective  trust  evaluation  re¬ 
sults  is  also  shown,  representing  the  ideal  case  in 
which  node  i  has  global  knowledge  of  status  of  all 
other  nodes  in  the  system  and  therefore  it  always 
picks  ti  truly  most  trustworthy  nodes  in  every  At  in¬ 
terval  for  mission  execution.  For  each  case,  we  also 
show  the  optimal  /?i:  ratio  (with  higher  /?i  meaning 
more  direct  observations  or  self-information  being 
used  for  subjective  trust  evaluation)  at  which 
Pmission  obtained  based  on  subjective  trust  evaluation 
results  is  virtually  identical  to  PmisSion  obtained  based 
on  objective  trust  evaluations. 

We  observe  that  as  more  social  trust  is  being  used 
for  subjective  trust  evaluation,  the  optimal  /?i:  fh  ratio 
increases,  suggesting  that  social  trust  evaluation  is 
very  subjective  in  nature  and  a  node  would  rather 
trust  its  own  interaction  experiences  more  than  rec¬ 
ommendations  provided  from  other  peers,  especially 
in  the  presence  of  malicious  nodes  that  can  perform 
good-mouthing  and  bad-mouthing  attacks.  Also  again 
we  observe  that  while  using  more  conservative  direct 

Legend: 

•  objective  Pmission 

-  subjective  Pmission  -  optimal  %  direct  evaluation 
■  subjective  Pmission  -  90%  direct  evaluation 
■  •  subjective  Pmission  -  80%  direct  evaluation 
N  subjective  Pmission  -  70%  direct  evaluation 
-  *■  -  subjective  Pmission  -  60%  direct  evaluation 


(b)  Social  Trust  Only. 


Table  4:  Weight  Ratio  for  Trust  Components. 


Test  case 

Weight  ratio 

Equal-weight 

uy  w2 :  w3:w4  =  0.25: 0.25: 0.25: 0.25 

Social  trust  only 

uy  w2:  w3:  w4  =  0.5: 0.5: 0: 0 

QoS  trust  only 

uy.  w2:  w3:  w4  =  0: 0: 0.5: 0.5 

More  social  trust 

uy  uyuy  vv4  =  0.35: 0.35:0.15: 0.15 

More  QoS  trust 

uy  uy  uy  w4  =  0.15: 0.15: 0.35: 0.35 

observations  or  self-information  for  subjective  trust 
evaluation  in  general  helps  in  bringing  subjective 
P mission  closer  to  objective  Pmissionr  there  is  a  cutoff 
point  after  which  subjective  trust  evaluation  over¬ 
shoots. 

Figure  3  demonstrates  the  effectiveness  of  SQTrust. 
When  given  an  operational  profile  characterized  by  a 
set  of  model  parameter  values  defined  in  Table  3,  the 
analysis  methodology  developed  in  this  paper  helps 
identify  the  best  weight  of  direct  observations  vs.  in¬ 
direct  recommendations  (i.e.,  /? i:  /fc)  to  be  used  for  sub¬ 
jective  trust  evaluation,  so  that  SQTrust  can  be  fine- 
tuned  to  yield  results  virtually  identical  to  those  by 
objective  trust  evaluation  based  on  actual  knowledge 
of  node  status. 

In  Figure  4  we  compare  Pmission  vs-  TR  for  the  mis¬ 
sion  group  under  various  w1:w2:w3:w4  ratios,  with 
each  operating  at  its  best  (hifii  ratio  identified  so  that 


(a)  Equal-Weight. 


(c)  QoS  Trust  Only. 
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Figure  3:  Mission  Success  Probability:  Subjective  vs.  Objective  Evaluation. 
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Figure  4:  Effect  of  wt:  w2:  w3:  w4  on  Mission  Success  Probability: 
Using  More  Social  Trust  Increases  Mission  Success  Probability. 


■  Ml  =  0.60,  M2  =  0.55  (88%  direct  evaluation) 

"— »  Ml  =  0.70,  M2  =  0.55  (86%  direct  evaluation) 

X  Ml  =  0.80,  M2  =  0.55  (84%  direct  evaluation) 

♦  Ml  =  0.90,  M2  =  0.55  (83%  direct  evaluation) 


Ml  =  1.00,  M2  =  0.55  (82%  direct  evaluation) 


Figure  5:  Effect  of  Ml  on  Mission  Success  Probability:  Using 
Higher  Ml  (Minimum  Trust  Level)  Decreases  Mission  Success 
Probability. 
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Figure  6:  Effect  of  M2  on  Mission  Success  Probability:  Using 
Higher  M2  (Drop  Dead  Trust  Level)  Decreases  Mission  Success 
Probability. 


in  each  test  case  subjective  PmiSSion  is  virtually  the 
same  as  objective  PmiSSion •  We  see  that  "social  trust 
only"  produces  the  highest  system  reliability,  while 
"QoS  trust  only"  has  the  lowest  system  reliability 
among  all,  suggesting  that  in  this  case  study  social 
trust  metrics  used  (intimacy  and  healthiness)  are  able 
to  yield  higher  trust  values  than  those  of  QoS  trust 
metrics  used  (energy  and  cooperativeness).  Certainly, 
this  result  should  not  be  construed  as  universal.  When 
given  an  operational  profiles  input,  the  model-based 
analysis  methodology  developed  in  this  paper  helps 
identify  the  best  w1:w2:w3:w4  weight  ratio  to  maxim¬ 
ize  the  system  reliability. 

Lastly  we  analyze  the  effect  of  mission  trust 
thresholds  Mi  (the  minimum  trust  level  required  for 


successful  mission  completion)  and  M2  (the  drop  dead 
trust  level).  Figures  5  and  6  show  PmiSSi0n  vs.  TR  for 
the  system  operating  under  best  /?i:/?2  settings  in  the 
equal-weight  case  for  each  (Mi,  M2)  combination.  Re¬ 
call  that  Mi  and  M2  are  the  high  and  low  trust  thresh¬ 
olds  to  determine  if  a  node  is  trustworthy  for  mission 
execution.  From  Figure  5,  we  see  that  as  Mi  increases, 
the  system  reliability  decreases  because  there  is  a 
smaller  chance  for  a  node  to  satisfy  the  high  threshold 
for  it  to  be  completely  trustworthy  for  mission  execu¬ 
tion.  Similarly  from  Figure  6,  we  see  that  as  M2  in¬ 
creases,  the  system  reliability  decreases  because  there 
is  a  higher  chance  for  a  node  to  be  completely  un¬ 
trustworthy  for  mission  execution.  We  also  observe 
that  the  reliability  is  more  sensitive  to  Mi  than  M2.  A 
system  designer  can  set  proper  Mi  and  M2  values 
based  on  the  mission  context  such  as  the  degree  of 
difficulty  and  mission  completion  deadline,  utilizing 
the  model-based  methodology  developed  in  the  paper 
to  analyze  the  effect  of  Mi  and  M2  so  as  to  improve  the 
system  reliability. 

6  Simulation  Validation 

We  validate  SQTrust  and  its  application  to  mobile 
group  reliability  assessment  through  extensive  simu¬ 
lation  using  ns-3  [22].  The  simulated  MANET  envi¬ 
ronment  is  setup  as  described  in  Table  3.  The  network 
consists  of  150  nodes  following  the  random  waypoint 
mobility  model  in  a  1500  m  x  1500  m  operational  area, 
with  the  speed  in  the  range  of  (0,  2]  m/s  and  pause 
time  of  zero.  The  initial  node  energy  is  in  the  range  of 
[40,  80]  joules,  corresponding  to  [12,  24]  hours  of  op¬ 
erational  time  in  normal  status.  A  node  may  be  com¬ 
promised  with  a  per-node  capture  rate  of  A com-  As  time 
progresses,  a  node  may  become  uncooperative,  the 
rate  of  which  is  implemented  according  to  Equation 
12.  When  a  node  becomes  uncooperative,  it  would  not 
follow  protocol  execution  and  will  drop  packets  to 
save  energy.  A  compromised  node  will  also  drop 
packets.  In  addition,  it  will  perform  bogus  message 
attacks,  as  well  as  good-mouthing  and  bad-mouthing 
attacks.  All  nodes  execute  SQTrust  as  described  in 
Section  3  to  perform  subjective  trust  evaluation. 

We  collect  simulation  data  to  validate  analytical  re¬ 
sults  reported  earlier.  Due  to  space  limitation,  we  only 
report  two  figures.  Figure  7  shows  the  simulation  re¬ 
sults  for  the  overall  subjective  trust  obtained  under 
the  equal-weight  case,  corresponding  to  Figure  2  ob¬ 
tained  earlier  from  theoretical  analysis.  As  in  Figure  2, 
we  simulate  7  cases  with  (3 1:  ^2  varying  from  0.6:  0.4  to 
0.9:  0.1.  For  each  case,  we  collect  observations  from 
sufficient  simulation  runs  with  disjoint  random  num¬ 
ber  streams  to  achieve  ±5%  accuracy  level  with  95% 
confidence.  The  simulation  results  in  Figure  7  are  re¬ 
markably  similar  to  the  analytical  results  shown  in 


— objective  trust  -  ±0.0412,  MSE=0.05% 

subjective  trust  (90%  direct  evaluation)  -  ±0.0399,  MSE=0.04% 
-  -A  -  -  subjective  trust  (80%  direct  evaluation)  -  ±0.0429,  MSE=0.02% 
— M  —  subjective  trust  (70%  direct  evaluation)  -  ±0.0450,  MSE=0.11% 
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Figure  7:  Simulation  Results  of  Overall  Trust  Corresponding  to 
Figure  2. 

social  trust  only  -  ±0.0004,  MSE=0.03% 

— more  social  trust  -  ±0.0004,  MSE=0.01% 
equal  weight  trust  -  ±0.0004,  MSE=0.02% 
more  QoS  trust  -  ±0.0005,  MSE=0.01% 

-  -  *  -  -  QoS  trust  only  -  ±0.0006,  MSE=0.01% 


Figure  8:  Simulation  Results  of  Reliability  Assessment  Corre¬ 
sponding  to  Figmure  4. 

Figure  2,  with  the  average  mean  square  error  (MSE) 
between  the  simulation  results  vs.  the  analytical  re¬ 
sults  less  than  5%. 

Figure  8  shows  the  simulation  results  for  the  effect 
of  w1:w2‘-  w3:  w4  on  mission  success  probability  Pmission, 
corresponding  to  Figure  4  obtained  earlier  from  ana¬ 
lytical  calculations.  As  in  Figure  4,  we  simulate  5  cases 
for  the  w\:  w 2:  W3:  m  weight  ratio  (see  Table  4).  We 
observe  that  Figure  8  is  virtually  identical  to  Figure  4 
in  shape  exhibiting  the  same  trend  that  using  more 
social  trust  would  yield  higher  system  reliability.  The 
MSE  is  remarkably  small  (less  than  0.03%)  for  all  cas¬ 
es.  We  conclude  that  our  analytical  results  reported  in 
Figures  2-6  are  accurate  and  valid. 

7  Conclusion 

In  this  paper,  we  proposed  and  analyzed  a  trust  man¬ 
agement  protocol  called  SQTrust  that  incorporates 
both  social  and  QoS  trust  metrics  for  subjective  trust 
evaluation  of  mobile  nodes  in  MANETs.  The  most 
salient  feature  of  SQTrust  is  that  it  is  distributed  and 
dynamic,  only  requiring  each  node  to  periodically 
estimate  its  degree  of  social  and  QoS  trust  toward  its 
peers  local  or  distance  away.  We  developed  a  novel 
model-based  methodology  based  on  SPN  techniques 
for  describing  the  behavior  of  a  mobile  group  consist¬ 
ing  of  well-behaved,  malicious  and  uncooperative 
nodes  given  the  anticipated  system  operational  profile 
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as  input.  By  using  a  probability  model  describing 
node  behavior  in  a  MANET  based  on  an  anticipated 
operational  profile  given  as  input,  we  allow  the  objec¬ 
tive  trust  values  of  nodes  to  be  calculated  based  on 
actual  status  of  nodes  as  time  progresses,  which 
serves  as  the  basis  for  validating  SQTrust  The  analyti¬ 
cal  results  validated  by  simulation  results  demon¬ 
strate  that  SQTrust  is  able  to  provide  accurate  subjec¬ 
tive  trust  evaluation  results  compared  with  objective 
trust  evaluation  results,  thus  supporting  its  resiliency 
property  to  bad-mouthing  and  good-mouthing  attacks 
by  malicious  nodes.  We  also  demonstrated  the  effect 
of  SQTrust  on  the  reliability  of  mission-oriented  mo¬ 
bile  groups  with  simulation  validation.  Using  mis¬ 
sion-oriented  mobile  groups  as  an  application,  we 
demonstrated  that  one  can  identify  the  best  trust  for¬ 
mation  to  maximize  the  application  performance  in 
terms  of  the  system  reliability. 

In  the  future  we  plan  to  investigate  the  notion  of 
adaptive  trust  management  by  which  the  trust  for¬ 
mation  formula  for  forming  trust  out  of  social  and 
QoS  components  is  dynamically  adjusted  in  response 
to  changing  environment  conditions  such  as  dynami¬ 
cally  evolving  hostility  or  evolving  mission  require¬ 
ments  to  optimize  application  performance. 
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